Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
RMI/util.rb: add handling of UnicastRef2 responses #11521
This PR adds the handling of UnicastRef2 responses in RMI serialized responses.
Whereas nmap's rmi-dumpregistry has no problem dumping it:
I have searched for the root cause until I landed in lib/msf/core/exploit/java/rmi/util.rb.
This PR adds the support for parsing this type. It is inspired from nmap's implementation:
If my understanding is correct, the main difference is that UnicastRef2 begins with a "form" byte that shifts the parsing of the rest if it isn't captured. The rest seems to be the same so I use the same code.
With the patch, the module works and we have the same result as with nmap:
The java_jmx_server exploit works fine too:
If that helps, the target is Tomcat 8 running on Windows.